25 April 2023
Ian Hulme is the ICO's Director of Regulatory Assurance. He led our operational response to the pandemic and leads our stakeholder relationships with the health and care sector.
The ICO’s work is often in the headlines, and our recent enforcement action against TikTok for allowing over a million UK children to use its platform without parental consent brought international media attention.
In practice, the majority of our work to protect people’s privacy rights has a far lower profile. Making sure people are considering data protection at an early stage, and providing the advice and support to ensure privacy protections are built into new services is less glamorous, but very effective.
Our work with the Department of Health and Social Care and Welsh Government around the NHS Covid app is a prime example. The app will be officially decommissioned on Thursday, after a fall in the number of users across England and Wales. It marks the end of a journey that began in the pandemic, and saw as many as 30 million people download the app.
The ICO offered advice and support to DHSC from the start, recognising the vital role that data played in navigating the pandemic and our responsibility, as a regulator, to protect people’s privacy during the development of new technology. Given the unprecedented circumstances, our teams worked hard to ensure that data protection law wasn’t a barrier to this innovation and privacy considerations were built into the lifecycle of the app – from design to decommission.
We were the first data protection authority to share a formal Opinion on the joint Google-Apple contact tracing API, just days after it was first published in April 2020. This was shortly followed by our data protection expectations for app development that served as a touchpoint throughout the pandemic. As the app’s functionality evolved, we continued to engage with DHSC and Welsh health bodies to ensure privacy and transparency were considered every step of the way.
Decommissioning was a key part of our expectations for the NHS Covid app. We made it clear to the Department of Health and Social Care that for people to have confidence in the app, they must be able to trust that their data would be deleted once the app was no longer required. We’re pleased that our work, started in March 2020, has helped to protect millions of people across the UK.
The same approach brought similar benefits across the UK. In Scotland, we offered advice and support on the development of the Protect Scotland app and in Northern Ireland, we provided advice and support on the development of the StopCovidNI app. Both proximity tracing apps followed the design principles set out in our expectations document and in line with these expectations, the Scottish app was decommissioned in April 2022 and the NI app was decommissioned in June 2022.
It’s an approach we continue to take today, working closely with organisations to support them to get data protection right from the start when creating new products and services. Our enforcement work may get the headlines, but it is the influence we can have over crucial moments behind the scenes that allows us to make the biggest difference.